Tag Archives: OpenSSH

As of OpenSSH 6.2 there is the configuration option AuthenticationMethods, allowing for the requirement of more than one authentication method. For me the obvious combination here is requiring both regular ssh key auth as well as a physical YubiKey, both which need to succeed.

This post is a short description of my personal setup, focusing more on the how than on the whys.

In addition to the obvious requirement of having a YubiKey my setup depends on the following:

Running at least OpenSSH 6.2, which is provided by default as of Ubuntu 13.10. Debian wise it might be helpful to know that the Wheezy backports currently contains OpenSSH 6.5.

The Yubico PAM module. Assuming recent enough Debian/Ubuntu that module can be found in the libpam-yubico package.

Then there is the part about having PAM threat ssh passwords as YubiKey OTPs. Given Debian style /etc/pam.d/ I am modifying /etc/pam.d/sshd to replace the include of /etc/pam.d/common-auth with an include of my own custom /etc/pam.d/yubi-auth.

OpenSSH 5.7 just got released. You can read the full announcement at http://www.openssh.com/txt/release-5.7. Personally I especially appreciate the following improvement to their SFTP stack.

sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the “ln” command in the client. The old “ln” behaviour of creating a symlink is available using its “-s” option or through the preexisting “symlink” command

Being able to handle hard links definitely makes SFTP even more useful as a remote filesystem.

In a default Ubuntu, and probably any other modern Gnome based Linux desktop, the Gnome keyring takes the role of the ssh-agent. If this is not desirable you can tell the keyring not to do that by setting the gconf variable /apps/gnome-keyring/daemon-components/ssh to false.

At the next login you should see your environment variable SSH_AUTH_SOCK pointing towards a more proper socket. Note that the real ssh-agent is still started, assuming Ubuntu, thanks to /etc/X11/Xsession.d/90×11-common_ssh-agent.